The WannaCry “kill switch”

On Friday night, an anonymous researcher reported that he had reverse engineered the WannaCry code. The ransomware takes advantage of a Server Message Block (SMB) file-sharing protocol vulnerability in Windows and leverages the EternalBlue exploit to comprise a machine. Like DoublePulsar, a remote execution malware that is also becoming more prevalent these days, WannaCry uses EternalBlue to download the ransomware package and began encrypting the compromised machine’s hard drive. Before it did that, however, the researcher noted that WannaCry reached out to a domain that consisted of a long string of seemingly random digits. That domain did not exist. So, the researcher went and registered it, accidentally discovering the malware’s “kill switch.”

Having a kill switch in the malware code is very curious. It suggests that the author wanted to be able to control it. WannaCry might have been either an experiment, or a proof of concept (POC) for something that was being planned for later. At this point we don’t know.

By the way, it’s always a good idea to turn off any Windows features that your machine doesn’t use. In Windows 10, for example, SMB is enabled by default. Microsoft has published how to turn off SMBv1 if it is not business critical.

Version 2.0 or not?

On Saturday, InfoSec researchers were also questioning whether the WannaCry author, realizing that the original code had been stopped, had released a second version without the kill switch. It is unclear whether that is the case, although one research did report stopping a second wave. Antivirus firm Kaspersky, and others, reported on Saturday seeing variations without a kill switch. Other researchers countered, alleging that some of these new derivatives are copy-cats. One version 2.0 candidate, for example, didn’t even bother to encrypt the compromised machines because of code corruption.

Another source of confusion surrounding the second version was the origin of WannaCry itself. A few days earlier, a new ransomware, Jaff, was first reported by Cisco Talos. Jaff, however, spreads via phishing attacks, sending hundreds of emails from compromised machines. WannaCry is a worm that appears to propagate on its own and does not use email to spread. As of Sunday, there is still no technical relationship established between Jaff and WannaCry.

And then there’s the ransom

Another thing that makes WannaCry unique is that previous malware outbreaks were not for financial gain. The ransom payment for WannaCry is Bitcoin, and the amount requested is $300 in local currency. In some parts of the world $300 is a lot of money. While victims still have several days to pay or permanently lose access to their data, it appears that after the first 48 hours, many people aren’t paying.

As of Saturday, the amount earned by the authors of WannaCry was $26,000, and by Sunday morning $30,000. As of Sunday night, the amount collected by the bad actors appears to be about $35,000. This is not nearly the millions that some first expected. While there is still time for people to pay up, they only have a few more days to pay before their data is permanently locked up. It appears that people are either walking away from their data or restoring from backups.

It’s better to not let your Windows boxes fall victim to WannaCry or any other malware. Keep your operating system current. Patch when updates become available. And, turn off any unused features or ports. Good hygiene along with industry best practices can keep your computers and networks up and running.

It’s been a bumpy ride, but it’s not too late to get serious about security.